We have moved to a new Sailfish OS Forum. Please start new discussions there.

Revision history [back]

click to hide/show revision 1
initial version

posted 2017-08-10 11:18:05 +0200

lpr gravatar image

Protect the might cancel mechanism proper in kernel-timerfd CVE-2017-10661

Description
The handling of the might_cancel queueing is not properly protected, so parallel operations on the file descriptor can race with each other and lead to list corruptions or use after free. Protect the context for these operations with a seperate lock. The wait queue lock cannot be reused for this because that would create a lock inversion scenario vs. the cancel lock. Replacing might_cancel with an atomic (atomic_t or atomic bit) does not help either because it still can race vs. the actual list operation.

Elevation of Privilege vulnerability CVSS rating: High local

Upstream Patch is available.

File affected: kernel-adaptation-sbj-3.4.108.20161101.1/fs/timerfd.c lines 35-39; 86-92; 96-101; 106-108 (differs in '|| ctx->clockid == CLOCK_REALTIME_ALARM' line 109-110); 114-120; 268-271

Copyright © Jolla Ltd. 2013-2019. All rights reserved.
about | faq | help | privacy policy | terms of service | give feedback
Powered by Askbot version 0.7.49